From Churchgoers to Military: ISIS 'Kill Lists' Explained
A Christmastime "hit list" of churches that appeared on a messenger app is far from the first such terrorist suggestion list, representing an escalating trend of terror supporters revealing reams of information on various targets compiled from public sources.
It's a tactic to sow panic that ISIS and its supporters have used before: putting out a list of purported targets, random information that's more of a data dump than a carefully curated list, often containing open-source information that a would-be jihadist could just get off of Google on his own.
It also represents the ideological crowdfunding of modern jihad: the terror outlet encourages followers to come up with ideas on training, weapons, targets and more -- many of the manuals and guidebooks are not issued by the same official ISIS media outlets that produce videos and magazines, but by supporters who have never left their home countries or jihadists who have taken a trip to the Islamic State -- and disseminate those tips across the web and encrypted messaging platforms.
A hacker working on the online campaign to take ISIS websites and social media accounts offline posted a screenshot of the threat discussion on Telegram that did not include a list of churches, but a link to USAChurches.org, a directory of some churches organized by state or denomination. The post also included links to Canadian, French and Dutch church directories, along with the call to target "churches, famous hotels, crowded cafes, crowded streets, markets and complexes."
It was not issued by an official ISIS media outlet.
Before Christmas, the FBI and Department of Homeland Security issued a bulletin to law enforcement agencies to be on the alert and watch houses of worship over the holidays, adding that there wasn't specific credible threat information. Similar alerts have previously been issued by the FBI around holidays and special events.
A spokeswoman for the FBI's Boston office told the Boston Herald that the FBI was "aware of the recent link published online that urges attacks against U.S. churches."
“The FBI asks members of the public to maintain awareness of their surroundings and to report any suspicious activity to law enforcement.”
It wasn't the first time ISIS supporters had distributed a hit list of religious targets. A July list that included church and synagogue members prompted Homeland Security officials to hold a conference call with Jewish leaders to discuss the finding. The list was compiled from directories posted on the religious institutions' websites.
That month, ISIS' Dabiq magazine issue was titled "Break the Cross," and argued "the true religion of Jesus Christ is a pure monotheistic submission – called Islam." A lengthy theological argument in the issue concluded with the warning that "if you continue to disbelieve, then know that you shall be defeated and then dragged altogether into Hell as your eternal, wicked abode." The magazine also profiled Abu Sa’d at-Trinidadi, a former Baptist from Trinidad and Tobago who converted to Islam and joined ISIS.
A hit list released by ISIS supporters the previous month featured thousands of American names including tech-industry execs and celebrities.
In June, PJM was able to download a 458-page kill list distributed by ISIS supporters on a file-sharing site. Most of the addresses on the list were in Ontario or Quebec. Many of the names were duplicates. Names appeared to follow no pattern other than being ordinary citizens, with their address, email and phone number posted. Some of the lines were gibberish, as if corrupt data had been downloaded in the process and was unedited by whoever prepared the list for release. There were two Canadians named Mohammad on the hit list.
Another #OpISIS hacker told PJM at the time that it appeared ISIS supporters were simply pulling names off of publicly accessible social media lists.
Occasionally, terrorists get hit-list names from hackers who have done their dirty work.
This year, a 20-year-old Kosovar named Ardit Ferizi was extradited from Malaysia after handing personal information of 1,351 U.S. government employees and military members over to late ISIS hacker Junaid Hussain and others in the organization "for the purpose of encouraging terrorist attacks against the identified individuals," according to the FBI affidavit. The stolen information, which was pilfered from the website of an unidentified retail company, included emails and passwords, addresses and phone numbers.
After the hacking, in August 2015, Hussain posted a message from the Islamic State Hacking Division claiming that they'd hacked the U.S. military and government instead of snagging the information from a hacker of online shopping.
Hussain tweeted out the list with the warning: “We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!”
Hussain was killed that month. Other operations from his ISIS hacking division included the March 2015 release of a hit list containing the names of 100 U.S. military officers. This time they also claimed they hacked the Defense Department, but the Pentagon said the information posted by ISIS was accessible via social media and people-search sites. ISIS is believed to have compiled that list starting with news articles about anti-ISIS operations featuring the names of the targeted officers.
An Army guide on operational security (OPSEC) for service members and their families warns that an al-Qaeda handbook suggested terrorists search online for data about “government personnel and all matters related to them (residence, work place, times of leaving and returning, children and places visited)."
ISIS also maintains internal hit lists. Two ISIS terrorists murdered a priest during Mass in Normandy this July; the parish was one of several on a list found when an ISIS suspect was arrested in Paris in April 2015. Authorities believe the Algerian student had been in contact with ISIS figures in Syria about proposed church attacks.
ISIS and sympathizers have been moving many of their communications and dissemination of propaganda to the encrypted Telegram app, where the pre-Christmas posting about churches was located, for greater ease of communication as Twitter has cracked down on their accounts in fits and starts.